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(54) Protection of computer networks against malicious content 



(57) A gateway including an input for receiving com- 
munications packets, an output for outputting commu- 
nications packets generally in real time with respect to 
receipt thereof, a policy manager determining criteria for 
collection and Inspection of a collection of packets and 
a packet collection agent receiving packets from the In- 
put in accordance with criteria established by the policy 



manager and including a content inspector inspecting 
the collection of packets in accordance with criteria es- 
tablished by the policy manager and being operative to 
prevent supply of at least one packet of a collection of 
packets to the output when the collection of packets in- 
cludes undesirable content in accordance with the cri- 
teria established by the policy manager. 
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Description 

FIELD OF THE INVENJTION 

£0001] The present invention relates to computer net- 
work communications generally and more partfcurariy ,o 

apparatusandmethodsforproviding security incomoi 
ter network communications. ^""ly m compu- 

BACKGROUND OF THE INVENTION 

[0002] There exist a large number of U.S. Patents 
wh,ch deal With security in computer network comrnur^J 
catons. The following U.S. Patents and the refeTe'ce 
crted therein are believed to represent the state of the 
f^o?^''"^'' ^■918,008; 5,907,834; 5 892 9oi 
5.889,943; 5,881 ,151; 5,859.966; 5.854 916- 5 842 oS 
5,83J208;5,826,012;5.822,517;5a09?S5802277 

5.657,473; 5.649,095; 5.623.600; 5,61 3 002 5 537 540 
6.511.184; 5.111,163; 5.502,815 5.485,575 s'Ss 'S 
fnZl f^' ^■^^^•659; 5,319,776 " ' 

deals w.th two general types of mal^ious content which 
may be communicated over a network to a computer 

number o?' r'"'" ^^"^"^ ""^y Classified i^a 
number of categories, such as file infectors file svste,^ 
v.j.ses. macro viruses and sys.em/boo. recSd S 

Whereas viruses require a user to execute a program in 
orderto cause damage, vandals are auto-executabirin 
temet applications and may cause immediardataqe 
Currently the following types of vandals are known Java 
applets. ActiveX objects, scripts and cookies. Vandals 
may h.de in various types of communfcated content t 
ri^ads"^''^ '^^^'-^ a- «ie 

[0005] it is known to employ proxy senders to detect 
and prevent receipt of malicious content by a computer 

scrLd' Z'T^'- °' is de: 

scribed inter alia in the aforesaid U.S Patents 
5.951.698; 5.889.943 & 5.623,600. The use of proxy 
servers for this purpose has a number of disadvantages 
induding non-real time operation, generation of network 
botttenecks, requiring special configuration of each 
desktop and relative ease of bypass by a user 
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SUMMARY OF THE INVENTION 



[0006] The present invention seeks to provide aoDa- 
raois and a method for protection of comp'ut^ agTnst 
malicious content generally in real time and without 
quiring the use of a proxy server. 
[0007] There is thus provided in accordance with a 
preferred embodiment of the present invention a gat^ 

P^cZTolZ'r' '^"'^ communicTons 
packets, an output for outputting communicatons pack- 



ets generally in real time with respect to receipt thereof 
a policy managerdetermining criteria for collection and 

s:nten°;rr°''"'°" °^ '^''^'^ ^ p-'^" 

lection agent receiving packets from the input in accord- 

Tnl'dt' ^^"^"■^^^'^''"^^^^bV.hepolicy mlnag'^^d 
includ ng a content inspector inspecting the collation of 
packets m accordance with criteria established by ^he 
pohcy manager and being operative to prevent supply 
of at least one packet of a collection of packets to the 

abirco: r °' '^^'^'^ incLes undeSr 

able content in accordance with the criteria established 
by the policy manager i'«o"snea 

[0008] There is also provided in accordance with a 

od for protecting a computer from malbious content 
compnsing the steps of: ^"'"leni 

determining criteria for collection and inspection of 
a collection of packets; 

receiving packets from among the collection of 
packets in accordance with the criteria 
mspecting the packets in accordance with the crite- 

preventing output of at least one packet but not all 
packets of a collection of packets when the collec- 
tion of packets includes undesirable content in ac- 
cordance withihe criteria; and 
outputting packets other than the at least orie pack- 

^009] In accordance with a preferred embodiment of 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0010] TTie present invention will be understood and 
wS the drawings in 



Fig. 1A is a simplified block diagram illustration of 
■mp ementation of the invention in a firewall-type 

Setr.r'^'^'''"^ '"^'"'"^ .ntemetbu^ot 
Fig. 13 is a Simplified block diagram illustration of 
implementation of the invention for checking all in- 
coming communications; 

Fig. 2 is a siniplified block diagram illustration of the 

useofmultiplecontentinspectorsbyasinglepacket 

collection agent; and 

Fig. 3 is a simplified flow chart Illustrating operation 
of a packet collection agent in accordance with a 
preferred embodiment of the present invention. 
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DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENTS 

[001 1 ] The present invention seeks to provide protec- 
tion of a connputer against nnalicious content without re- 5 
quiring the use of a proxy server. 

[0012] Reference is now made to Fig. 1A, which is a 
sinnplified block diagram illustration of implementation 
of the invention in a firewall-type configuration forcheck- 
Ing incoming Internet but not intranet traffic. As seen in 
Fig. 1 A, there is provided a typical computer lOin which 
resides conventional TCP/IP routing software 12. Com- 
puter 10 is typically connected to a network 13. 
[0013] In accordance with a preferred embodiment of 
the present invention a packet collection agent (PGA) 
14 is interposed between a network interface card (NIC) 
16 which receives Internet traffic and the TCP/IP routing 
software 12. In this embodiment, a separate NIC 18 han- 
dles intranet traffic and does not have a PCA interfaced 
between it and the TCP/IP routing software 12. 
[GDI 4] In accordance with a preferred embodiment of 
the present invention, the PCA 1 4 interfaces with policy 
manager software 20, which determines collection cri- 
teria, i.e. which types of packets of which types of files 
are collected, and inspection criteria, i.e. which types of 
content In a file are not allowed to pass to or from net- 
work 13. 

[001 5] Based on the criteria established by the policy 
manager software 20, the PCA 14 operates content in- 
spector software 22, which inspects the packets of a file 
which fits the criteria for collection and inspection. The 
content inspector software 22 operates based on criteria 
established by the policy manager software 20 and re- 
ports its inspection findings to the PCA 14. Altematively, 
policy manager software 20 may be obviated In such a 
case, the PCA 14 and the content inspector software 
are each programmed with suitable criteria. 
[001 6] In accordance with a prefen-ed embodiment of 
the invention, the PCA 14 does not delay transmittal of 
most packets, even of files that require inspection. Rath- 
er, while transmitting all but typically the last packet in a 
file, it operates content inspector software 22 to inspect 
the contents of the file. If the contents are found to be 
acceptable, typically the last packet Is released. If the 
contents of a file are not found to be acceptable by the 
criteria typically established by the policy manager soft- 
ware 20, at least one packet, typically the last packet, 
Is not released, preventing activation of the unaccepta- 
ble content by the computer. 

[0017] Reference is now made to Fig. 1 B, which illus- 
trates implementation of the invention for checking all 
incoming communications along a network 28. In this 
illustrated embodiment, as seen In Fig. 1 B, there is pro- 
vided a typical computer 30 on which resides TCP/IP 
software 32. In accordance with a preferred embodi- 
ment of the present invention, a packet collection agent 
(PCA) 34 is interposed between a network interface 
card (NIC) 36, which receives Internet and intranet traf- 



fic, and the TCP/IP software 32. 

[0018] In accordance with a preferred embodiment of 
the present invention, as in the embodiment oi Fig. 1 A, 
the PCA 34 interfaces with policy manager software 40, 
which determines collection criteria, i.e. which types of 
packets of which types of files are collected, and inspec- 
tion criteria, i.e. whrch types of content in a file are not 
allowed to pass to the computer. 
[0019] Based on the criteria typically established by 
the policy manager software 40, the PCA 34 operates 
content inspector software 42, which inspects the pack- 
ets of a file which fits the criteria for collection and in- 
spection. The content inspector software 42 operates 
typically based on criteria established by the policy man- 
ager software 40 and reports its inspection findings to 
the PCA 34. 

[0020] In accordance with a preferred embodiment of 
the invention, the PCA 34 does not delay transmittal of 
most packets, even of files that require inspection. Rath- 
er while transmitting all but typically the last packet in a 
file, it operates content inspector software 42 to inspect 
the contents of the file. If the contents are found to be 
acceptable, typically the last packet is released. If the 
contents of a file ^rc not found to be acceptable by the 
criteria typically established by the policy manager soft- 
ware 40, at least one packet, typically the last packet, 
is not released, preventing activation of the unaccepta- 
ble content by the computer. 

[0021] Reference is now made to Fig. 2, which is a 
simplified block diagram illustration of the use of multiple 
content inspectors by a single packet collection agent. 
As illustrated in Fig, 2, a single PCA 50 may Interface 
with a single policy manager 52, which may, In certain 
embodiments be obviated, and with a plurality of content 
inspectors 54 simultaneously. This type of an-angement 
may be particularly useful for handling high traffic vol- 
umes. 

[0022] Reference Is now made to Fig. 3, which is a 
simplified flow chart illustrating operation of a PCA in 
accordance with a preferred embodiment of the present 
invention. 

[0023] As seen in Fig. 3, upon receipt of a packet, if 
the packet is received in the context of an existing file 
and is not the last packet, the packet is simultaneously 
stored and released to Its destination, generally in real 
time. 

[0024] If the packet is the last packet in a file, the PCA 
typically obtains the inspection criteria from the polk:y 
manager and sends all of the packets in the file to a con- 
tent inspector for inspection in accordance with the in- 
spection policy typically established by the policy man- 
ager. If the file passes Inspection, the last packet is re- 
leased as well. If not, the last packet is not released. 
[0025] If the packet Is the first packet of a new file and 
thus is a control packet as opposed to a data packet, 
the PCA employs the collection criteria typically estab- 
lished by the policy manager to detenmine whether the 
file requires inspection. If not. the packet and all subse- 
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quent packets of that file aro \rr.r^ ^ 

they arrive. If the f«e Zoe oZZT' 

no packets are released fhl "°' P^^^^'tted. 

released and^hes:bsXmpae^^^^^^^^^^^ 

[00261 It u/iii packets are inspected. 

art thit ,hl appreciated by persons skilled in the 
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3. 



«» 7. 



A gateway according to any of claims I to 4 and 

ral content inspectors simultaneously. 

A gateway according to any of claims 1 to 5 and 
Where, said policy manager determines oLl 
Whereby some types of files are not released even 
without inspection by a content inspector. 

A gateway according to any of claims 1 to 6 and 
wherein said packet collection agent 
operates on Internet but not on intranet traffic. 



ts 



20 



8- A gateway comprising. 



SB 



30 9. 



35 



40 



10. 



11 



1- A gateway comprising: 

an input for receiving conimunications packets 

etsge^erallyinrealtimewithrespecttoX^^ 

«o''n°l5'dT"^'!'''"'"™'"'"9'^^'»«"«'°^oollec- 
tion and inspection of a collection of packetr 

from receiving packeis 

H ^"''"•^ance with criteria el 

tabhshed by said policy manager, and 
at least one content inspector operated bv tho 

lection of packets in accordance with rriteno 
established by said policy mana^r 
said packet collection agent being operative to 
prevent supply of at least one packet o?a co, 

lect^nof packets includes undesirableconter^t 

said^r"'' ^'"^ '^'^^^^^ establish J2 by 
said policy manager. ^ 

A gateway according to claim 1 and wherein said «t 
'east one packet is the las, packet of a fie 

A gateway according to claim 1 or claim 2 «nH 

13. A method according to claim 11 and wherein a ooi 
•cymanagerdeterminescriteriawherebyTotaSfSes 



45 



SO 



an input for receiving communications packets- 
an output for outputting communications pacj 

tSratr"^^"""^^*''^-^--^' 

a packet collection agent receiving packets 

tablished by said policy manager, and 
a content inspector operated by the packet col- 
lection agent for inspecting said co'lectfon Jf 
packets and being operative to prevent supply 
of at least one packet of a collection of pacE 
o said output When said collectton of packete 
loeludes^^unidesimBlg^^gS^Tlf^" ■ -^^-^^^ 

A ^teway according to claim 8 and wherein said at 
least one packet is the last packet of a file 

A gateway according to claim 8 and wherein a policy 
ar:;i™"--'-^-^-''VnotafS 

determining criteria for collection and inspec- 
tion of a collection of packets ^ 
receiving packets from among the collection of 
packets ,n accordance with the criteria- 
inspecting the packets in accordance ^ith the 

aSL? °' ^' P«<^ket but not 

collection of packets includes undesirable con- 
ten, ,n accordance with the criteria; and 
ouy utting packets other than the at least one 

cx;rer'^'"^^^'«'"-«'^-p--- 
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are inspected. 

1 4. A method according to claim 11 and wherein a pack- 
et collection agent inspects all packets of files that 
are to be inspected. 

1 5. A method according to claim 1 1 and wherein a pack- 
et collection agent operates plural content inspec- 
tors simultaneously. 

16. A method according to claim 11 and wherein a pol- 
icy manager determines criteria whereby some 
types of files are not released even without inspec- 
tion by a content inspector. 

17. A gateway according to claim 11 and wherein a 
packet collection agent operates on Internet but not 
on intranet traffic. 
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